HomeGeneral InterestCybercrime and security in rail

Cybercrime and security in rail

Listen to this article

Recent events in Europe and the Government’s ‘Cyber Security Breaches Survey 2022’ report have reinforced the importance of good cyber security measures for all companies and organisations. Rail Engineer recently met up with Paul Burbridge, detective sergeant at the British Transport Police (BTP) Cybercrime unit, to discuss how the rail industry can better defend itself from cybercrime

The Government’s report covered all UK industry and identified that 39% of businesses identified at least one cyber-attack on their operations in the last 12 months, with phishing attempts the most common threat, reported by 83%. Cyber phishing is when attackers attempt to trick users into doing ‘the wrong thing’, such as disclosing security information such as passwords or clicking on a harmful link that will download malicious software (malware).

Ransomware

More sophisticated cybercrime types, such as a denial of service (DoS) or ransomware were reported by 21% of businesses. DoS is an attack designed to shut down a device or network by flooding the victim with traffic, while ransomware is a type of malware that threatens to publish the victim’s data, or lock access, unless a ransom is paid. Despite its relative low prevalence, organisations considered ransomware as a major threat, with 56% cent having a policy not to pay ransoms.

One in five businesses and 19% of charities say they experienced a negative outcome as a direct consequence of a cyber-attack, while 38% experienced at least one negative impact. Thirty-one percent of businesses and 26% of charities estimate they were attacked at least once a week.

The government guidance – ‘10 Steps to Cyber Security’ – has been designed to break down the task of protecting an organisation into 10 key components. The survey found that 49% of businesses and 40% of charities have acted in at least five of these areas. Access management came out as the most proactive, with supply chain security the least proactive in implementing defences to cybercrime.

The survey also showed that 54% of businesses have acted in the past 12 months to identify cyber-security risks, with the risk often passed on to outsourced cyber providers, insurance companies, or internal cyber colleagues.

It is a concern that the 2022 survey says that there remains a lack of both will and skill around organisational cyber security, resulting in gaps in “some more fundamental areas of cyber hygiene”. Fewer than one in five businesses have a formal incident management plan; there is a lack of technical knowhow expertise within smaller organisations and at senior level within larger organisations – despite cyber security being seen as a high priority area, and investment in cyber security is still largely viewed as a cost rather than an investment. Therefore, many organisations rely on a reactive approach to cyber security instead of proactively driving improvements.

Rail underreporting

While the number of reported attacks is a consistent figure in recent years, the survey also noted that enhanced cyber security can lead to higher identification of attacks, suggesting that some less cyber-mature organisations may be under-reporting threats. BTP suspects under reporting of cybercrime may be the case in rail and Paul said “I urge anyone who may have had a cyber-attack to report it to us. We can then provide advice and help and build up an accurate picture of the cyber threats to rail.”

“We also have excellent links to other UK government experts in cybercrime along with international law enforcement organisations. Not reporting a cyber security incident can lead to what may appear to be a ‘non-loss’ situation developing into a major problem if it is not properly and thoroughly investigated.”

Rail at risk

During the early stages of the Russo-Ukraine crisis, it is reported that railway workers, hackers, and dissident security forces disabled or disrupted the railway links connecting Russia to Ukraine through Belarus, disrupting supply lines. In January, a group calling themselves Belarusian Cyber-Partisans carried out a ransomware attack on the Belarusian state railway network, encrypting the data on a number of its servers. They posted screenshots online to illustrate the level of access they had obtained.

High angle shot of an unidentifiable man using a laptop late at night

The group claimed to have attacked many of the railway’s ‘automated systems’ and that they had the capability to alter the function of the railway’s automatic route setting software. There was evidence reported that significant disruption was caused. Following the invasion, the group announced a further cyber attack and Belarusian railway websites were confirmed to be down for some time. Social media showed long queues of people for tickets several days after the incident.

The Financial Times reported that US cyber security experts had reduced the potential for attacks as part of their pre-emptive cyber defence work for Ukraine. One particular type of malware called Wiperware was found on the Ukrainian Railway’s servers. Unlike ransomware, and other common malware, Wiperware is not focused on theft or financial gain. It is purely destructive and is designed to significantly damage systems by erasing data and programs, with no way of restoring them.

In March, Reuters reported that the Italian railway company Ferrovie dello Stato Italiane (FS) had temporarily halted some ticket sales as it believed it had been targeted by a cyber attack. “Since this morning, elements that could be linked to a crypto locker infection have been detected,” the company said. FS went on to say it had suspended the sale of tickets at its offices and self-service machines in train stations as a precautionary measure, while online sales were working as usual. The disruptions did not impact rail traffic, which was running smoothly, FS added.

Good practice

Attacks like the ones reported may lead to escalation, which increases the risk to other railways. Previous major cyber-attacks, such as Stuxnet and NotPetya, led to the spread of cyber viruses and the copying of techniques by new attackers. The rail industry therefore needs to examine the recent incidents as examples of cyber-attacks to rail that could be repeated by others.

There is lots of advice and good practice of cyber security available from organisations such as the National Cyber Security Centre. Steps that should be considered include addressing cybersecurity at the earliest stage of any project as attempts to retrofit security solutions will almost certainly fail; carrying out a regular threat analysis considering both internal and external threats to security; and defence in depth – cyber security should be implemented in layers using a wide range of solutions to provide monitoring and defence across and throughout the organisation. This should include protection from physical attack by using proven secure locking systems to protect communications cables and ports, equipment rooms, and equipment cabinets in rooms and on rolling stock. Access to equipment must only be given to competent, trusted maintainers.

Digital background depicting innovative technologies in security systems, data protection Internet technologies 3d rendering

Organisations must also use recognised good security management practice, such as the ISO/IEC 27000 series of standards, and implement physical, personnel, procedural and technical measures.  They should implement simple measures, such as instructing everyone not to use USB drives or click on any links from outside the business without checking they are safe.

Cyber security should be implemented using a quality assurance system based on: requirements capture – specify – development – design – implement – maintain – test. Every organisation should also be tested on a regular basis, ideally by an independent third party.

Summary

Many businesses and organisations lack the will and skill for good organisational cyber security, resulting in gaps in “some more fundamental areas of cyber hygiene,” according to the government’s report. Cyber attacks in other countries suggest that cybercrime is a risk to UK rail. However, solutions and tools are available and cybercrime is another challenge that railways must rise to. All instances of rail cybercrime must be reported to BTP, who are ready to investigate, help and advise.

Organisations or businesses who need to contact BTP can contact the Pursue team at [email protected]. If you are a rail company or part of the railway supply chain and experiencing a live and ongoing cyber-attack, please contact the BTP control room on 0800 405 040.

Paul Darlington CEng FIET FIRSE
Paul Darlington CEng FIET FIRSEhttp://therailengineer.com

SPECIALIST AREAS
Signalling and telecommunications, cyber security, level crossings


Paul Darlington joined British Rail as a trainee telecoms technician in September 1975. He became an instructor in telecommunications and moved to the telecoms project office in Birmingham, where he was involved in designing customer information systems and radio schemes. By the time of privatisation, he was a project engineer with BR Telecommunications Ltd, responsible for the implementation of telecommunication schemes included Merseyrail IECC resignalling.

With the inception of Railtrack, Paul moved to Manchester as the telecoms engineer for the North West. He was, for a time, the engineering manager responsible for coordinating all the multi-functional engineering disciplines in the North West Zone.

His next role was head of telecommunications for Network Rail in London, where the foundations for Network Rail Telecoms and the IP network now known as FTNx were put in place. He then moved back to Manchester as the signalling route asset manager for LNW North and led the control period 5 signalling renewals planning. He also continued as chair of the safety review panel for the national GSM-R programme.

After a 37-year career in the rail industry, Paul retired in October 2012 and, as well as writing for Rail Engineer, is the managing editor of IRSE News.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.